[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL External Mechanism
Thank you very much for your help, Tony. I feel quite sheepish. In all
my rereading, I missed, "This is a user-only directive and can only be
specified in a user's .ldaprc file." After moving "TLS_CERT" and
"TLS_KEY" from "ldap.conf" to ".ldaprc", this error disappeared.
Unfortunately, the server is still unable to verify the client.
As before, "slapd.conf" contains:
TLSCACertificateFile /etc/ldap/cacert.pem
TLSVerifyClient demand
".ldaprc" contains:
TLS_CERT /etc/ldap/cert.pem
TLS_KEY /etc/ldap/key.pem
"ldapsearch -d 7 -x -H "ldaps://wum.lat" -s base -b ""
supportedSASLMechanisms" produces:
ldap_create
ldap_url_parse_ext(ldaps://wum.lat)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP wum.lat:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.179.73:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=wum.lat
tls_write: want=81, written=81
0000: 16 03 01 00 4c 01 00 00 48 03 01 3f f4 d2 ed da
....L...H..?....
0010: 08 7c 1c 08 d4 e7 a9 89 70 78 66 24 94 4a f6 63
.|......pxf$.J.c
0020: 09 c2 5f 44 e0 7c ea 34 a0 8f 16 00 00 18 00 33
.._D.|.4.......3
0030: 00 16 00 39 00 2f 00 0a 00 35 00 05 00 04 00 32
...9./...5.....2
0040: 00 13 00 38 00 66 02 01 00 00 06 00 00 00 02 00
...8.f..........
0050: 00 .
tls_read: want=5, got=5
0000: 16 03 01 00 4a ....J
tls_read: want=74, got=74
0000: 02 00 00 46 03 01 3f f4 d2 ed 66 4e f6 fe 21 05
...F..?...fN..!.
0010: b4 a7 6c 86 09 11 5c 22 2f f7 58 9f 39 16 ed 21
..l...\"/.X.9..!
0020: 34 83 90 fa 91 e0 20 9e 84 5a 29 4b 5f f4 54 c6 4.....
..Z)K_.T.
0030: 92 af 33 14 a8 d8 63 ab bb ff 4a ea f3 8a eb c0
..3...c...J.....
0040: f1 84 36 ed 54 90 7b 00 33 01 ..6.T.{.3.
tls_read: want=5, got=5
0000: 16 03 01 02 46 ....F
tls_read: want=582, got=582
[...]
tls_read: want=5, got=5
0000: 16 03 01 01 8d .....
tls_read: want=397, got=397
[...]
tls_read: want=5, got=5
0000: 16 03 01 00 04 .....
tls_read: want=4, got=4
0000: 0e 00 00 00 ....
tls_write: want=139, written=139
0000: 16 03 01 00 86 10 00 00 82 00 80 a6 63 a8 c0 c9
............c...
0010: 9a b7 f2 d3 fe ea f9 bc 9d 8f 9b 0d c2 de 30 a4
..............0.
0020: b0 d2 95 b6 17 32 19 5f ec fc 86 83 d7 a2 a9 e3
.....2._........
0030: 2b 77 34 38 6e 6d 8f 2a 6b e4 61 7a af a7 a1 7e
+w48nm.*k.az...~
0040: a1 c3 b2 dc 81 d0 b7 11 db 31 18 d9 02 b2 0d 19
.........1......
0050: 6f 15 f4 a3 40 0e 38 94 44 d3 64 76 f2 d0 7f 37
o...@.8.D.dv...7
0060: 5e 4b 15 3f 1b 76 d0 fb de c3 80 f4 e1 a2 72 ff
^K.?.v........r.
0070: bc 6b a7 89 78 5c bd 64 c5 fd 16 e9 14 70 1b 4b
.k..x\.d.....p.K
0080: 7f 2e 1b 82 a1 a4 fd 54 cf ae f2 .......T...
tls_write: want=6, written=6
0000: 14 03 01 00 01 01 ......
tls_write: want=277, written=277
[...]
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 b0 .....
tls_read: want=176, got=176
0000: 3b 42 7a 43 b9 2b b1 3f 8c 1e b3 12 63 fb e8 85
;BzC.+.?....c...
0010: c2 25 3b 33 52 5a 95 fa 7b bb 7c a2 f9 26 e4 27
.%;3RZ..{.|..&.'
0020: 92 82 30 ac bc af 59 a1 65 f8 f5 2e 95 af d9 34
..0...Y.e......4
0030: cc 6c 79 a9 fb 87 d8 f7 6a b8 6c 36 cf 36 d1 0d
.ly.....j.l6.6..
0040: 45 4e 20 aa 37 43 40 ad 65 1e 39 33 f7 68 f3 83 EN
.7C@.e.93.h..
0050: a1 8b c8 7b fc b0 a7 80 e2 0b 95 28 a4 ab 38 a9
...{.......(..8.
0060: 9b 06 d0 62 b7 1c 72 88 f4 43 53 ea b1 1a 94 fb
...b..r..CS.....
0070: d8 04 93 f2 a8 a7 20 44 26 f9 d1 74 15 e3 21 2b ......
D&..t..!+
0080: d4 20 07 51 41 bd 72 c1 43 71 1f 54 0f a5 4f 42 .
.QA.r.Cq.T..OB
0090: 14 37 d5 f6 97 6c 7a 83 01 00 5b 20 1b cc 38 ae .7...lz...[
..8.
00a0: c7 89 cb e3 a5 2e 31 1c 12 61 97 4f 34 a4 7a 8d
......1..a.O4.z.
TLS certificate verification: depth: 0, err: 0, subject: C=, ST=, L=,
O=dar, OU=, CN=wum.lat/Email=, issuer: C=, ST=, L=, O=dar, OU=,
CN=/Email=
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 14 bytes to sd 3
0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00
0....`........
tls_write: want=149, written=149
0000: 17 03 01 00 90 76 eb 42 01 6f 73 14 48 d1 78 38
.....v.B.os.H.x8
0010: 1e 9c 46 01 da 80 4a ce 88 fe a8 82 61 d1 ea b4
..F...J.....a...
0020: 6f b3 e4 63 22 5e 05 e5 85 f1 fe 05 b5 99 58 b6
o..c"^........X.
0030: 79 0d 1f 0c 1b f7 61 95 6f ec d0 10 24 47 47 a5
y.....a.o...$GG.
0040: 23 9e e0 a9 64 2f af d5 aa c7 d8 c1 92 0d 42 36
#...d/........B6
0050: 92 79 10 fb 97 90 e8 35 cb e2 12 a4 9f b2 a1 79
.y.....5.......y
0060: da de 60 93 28 39 68 36 02 e2 73 ac a0 f0 37 30
..`.(9h6..s...70
0070: 40 ea a9 15 38 a2 09 90 3b f7 4d d8 62 e9 01 6a
@...8...;.M.b..j
0080: db 15 9e 1a e6 64 ee 81 29 fa b8 c7 aa de 39 04
.....d..).....9.
0090: 56 b4 70 ed 82 V.p..
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00
0....`........
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: wum.lat port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Jan 1 18:09:51 2004
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
tls_read: want=5, got=0
ldap_read: want=8 error=Success
ldap_perror
ldap_bind: Can't contact LDAP server (81)
"slapd -d 7 -h "ldap:// ldaps:///"" produces:
@(#) $OpenLDAP: slapd 2.1.23 (Oct 18 2003 20:04:15) $
@euklid:/home/roland/debian/openldap/build/2.1.23-1/openldap2-2.1.23/
debian/build/servers/slapd
daemon_init: ldap:// ldaps:///
daemon_init: listen on ldap://
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap://)
slap_open_listener: socket() failed for AF_INET6 errno=97 (Address
family not supported by protocol)
daemon: initialized ldap://
ldap_url_parse_ext(ldaps:///)
slap_open_listener: socket() failed for AF_INET6 errno=97 (Address
family not supported by protocol)
daemon: initialized ldaps:///
daemon_init: 4 listeners opened
ldap_pvt_gethostbyname_a: host=wum, r=0
slapd init: initiated server.
slap_sasl_init: initialized!
>>> dnNormalize: <cn=Subschema>
=> ldap_bv2dn(cn=Subschema,0)
<= ldap_bv2dn(cn=Subschema,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=subschema,272)=0
<<< dnNormalize: <cn=subschema>
bdb_initialize: initialize BDB backend
bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19,
2002)
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=lat>
=> ldap_bv2dn(dc=lat,0)
<= ldap_bv2dn(dc=lat,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=lat,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=lat,272)=0
<<< dnPrettyNormal: <dc=lat>, <dc=lat>
>>> dnNormalize: <>
<<< dnNormalize: <>
ldap_url_parse_ext(ldap://sil-fis.lat)
matching_rule_use_init
1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( oncRpcNumber
$ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $
shadowInactive $ shadowWarning $ shadowMax $ shadowMin $
shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $
supportedLDAPVersion ) )
1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( oncRpcNumber
$ ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $
shadowInactive $ shadowWarning $ shadowMax $ shadowMin $
shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $
supportedLDAPVersion ) )
1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES (
nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber
$ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $
homeDirectory $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $
nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $
dc $ mail $ altServer ) )
1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES (
nisMapEntry $ bootFile $ macAddress $ ipNetmaskNumber $ ipNetworkNumber
$ ipHostNumber $ memberNisNetgroup $ memberUid $ loginShell $
homeDirectory $ gecos $ janetMailbox $ cNAMERecord $ sOARecord $
nSRecord $ mXRecord $ mDRecord $ aRecord $ email $ associatedDomain $
dc $ mail $ altServer ) )
2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34
NAME 'certificateExactMatch' APPLIES ( cACertificate $ userCertificate
) )
2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: (
2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
supportedApplicationContext $ ldapSyntaxes $ matchingRuleUse $
objectClasses $ attributeTypes $ matchingRules $ supportedFeatures $
supportedExtension $ supportedControl $ structuralObjectClass $
objectClass ) )
2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: (
2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( oncRpcNumber $
ipProtocolNumber $ ipServicePort $ shadowFlag $ shadowExpire $
shadowInactive $ shadowWarning $ shadowMax $ shadowMin $
shadowLastChange $ gidNumber $ uidNumber $ mailPreferenceOption $
supportedLDAPVersion ) )
2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME
'generalizedTimeMatch' APPLIES ( modifyTimestamp $ createTimestamp ) )
2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME
'telephoneNumberMatch' APPLIES ( pager $ mobile $ homePhone $
telephoneNumber ) )
2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES userPassword )
2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
'integerMatch' APPLIES ( oncRpcNumber $ ipProtocolNumber $
ipServicePort $ shadowFlag $ shadowExpire $ shadowInactive $
shadowWarning $ shadowMax $ shadowMin $ shadowLastChange $ gidNumber $
uidNumber $ mailPreferenceOption $ supportedLDAPVersion ) )
2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
'booleanMatch' APPLIES hasSubordinates )
2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( homePostalAddress $ registeredAddress $
postalAddress ) )
2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( internationaliSDNNumber $ x121Address )
)
2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7
NAME 'caseExactSubstringsMatch' APPLIES ( dnQualifier $
destinationIndicator $ serialNumber ) )
2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME
'caseExactOrderingMatch' APPLIES ( dnQualifier $ destinationIndicator $
serialNumber ) )
2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( preferredLanguage $ employeeType $
employeeNumber $ displayName $ departmentNumber $ carLicense $
nisMapName $ ipServiceProtocol $ documentPublisher $ buildingName $
organizationalStatus $ uniqueIdentifier $ co $ personalTitle $
documentLocation $ documentVersion $ documentTitle $ documentIdentifier
$ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $
uid $ labeledURI $ dmdName $ houseIdentifier $ dnQualifier $
generationQualifier $ initials $ givenName $ destinationIndicator $
physicalDeliveryOfficeName $ postOfficeBox $ postalCode $
businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $
serialNumber $ sn $ knowledgeInformation $ cn $ name $ ref $
vendorVersion $ vendorName $ supportedSASLMechanisms ) )
2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3
NAME 'caseIgnoreOrderingMatch' APPLIES ( dnQualifier $
destinationIndicator $ serialNumber ) )
2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( preferredLanguage $ employeeType $
employeeNumber $ displayName $ departmentNumber $ carLicense $
nisMapName $ ipServiceProtocol $ documentPublisher $ buildingName $
organizationalStatus $ uniqueIdentifier $ co $ personalTitle $
documentLocation $ documentVersion $ documentTitle $ documentIdentifier
$ host $ userClass $ roomNumber $ drink $ info $ textEncodedORAddress $
uid $ labeledURI $ dmdName $ houseIdentifier $ dnQualifier $
generationQualifier $ initials $ givenName $ destinationIndicator $
physicalDeliveryOfficeName $ postOfficeBox $ postalCode $
businessCategory $ description $ title $ ou $ o $ street $ st $ l $ c $
serialNumber $ sn $ knowledgeInformation $ cn $ name $ ref $
vendorVersion $ vendorName $ supportedSASLMechanisms ) )
2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( dITRedirect $ associatedName $
secretary $ documentAuthor $ manager $ seeAlso $ roleOccupant $ owner $
member $ distinguishedName $ aliasedObjectName $ namingContexts $
subschemaSubentry $ modifiersName $ creatorsName ) )
2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedApplicationContext $
supportedFeatures $ supportedExtension $ supportedControl $
structuralObjectClass $ objectClass ) )
slapd startup: initiated.
bdb_db_open: dc=lat
bdb_db_open: dbenv_open(/var/lib/ldap)
slapd starting
ldap_pvt_gethostbyname_a: host=wum, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
tls_read: want=5, got=5
0000: 16 03 01 00 4c ....L
tls_read: want=76, got=76
0000: 01 00 00 48 03 01 3f f4 d2 ed da 08 7c 1c 08 d4
...H..?.....|...
0010: e7 a9 89 70 78 66 24 94 4a f6 63 09 c2 5f 44 e0
...pxf$.J.c.._D.
0020: 7c ea 34 a0 8f 16 00 00 18 00 33 00 16 00 39 00
|.4.......3...9.
0030: 2f 00 0a 00 35 00 05 00 04 00 32 00 13 00 38 00
/...5.....2...8.
0040: 66 02 01 00 00 06 00 00 00 02 00 00 f...........
tls_write: want=79, written=79
0000: 16 03 01 00 4a 02 00 00 46 03 01 3f f4 d2 ed 66
....J...F..?...f
0010: 4e f6 fe 21 05 b4 a7 6c 86 09 11 5c 22 2f f7 58
N..!...l...\"/.X
0020: 9f 39 16 ed 21 34 83 90 fa 91 e0 20 9e 84 5a 29 .9..!4.....
..Z)
0030: 4b 5f f4 54 c6 92 af 33 14 a8 d8 63 ab bb ff 4a
K_.T...3...c...J
0040: ea f3 8a eb c0 f1 84 36 ed 54 90 7b 00 33 01
.......6.T.{.3.
tls_write: want=587, written=587
[...]
tls_write: want=402, written=402
[...]
tls_write: want=9, written=9
0000: 16 03 01 00 04 0e 00 00 00 .........
tls_read: want=5 error=Resource temporarily unavailable
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
tls_read: want=5, got=5
0000: 16 03 01 00 86 .....
tls_read: want=134, got=134
0000: 10 00 00 82 00 80 a6 63 a8 c0 c9 9a b7 f2 d3 fe
.......c........
0010: ea f9 bc 9d 8f 9b 0d c2 de 30 a4 b0 d2 95 b6 17
.........0......
0020: 32 19 5f ec fc 86 83 d7 a2 a9 e3 2b 77 34 38 6e
2._........+w48n
0030: 6d 8f 2a 6b e4 61 7a af a7 a1 7e a1 c3 b2 dc 81
m.*k.az...~.....
0040: d0 b7 11 db 31 18 d9 02 b2 0d 19 6f 15 f4 a3 40
....1......o...@
0050: 0e 38 94 44 d3 64 76 f2 d0 7f 37 5e 4b 15 3f 1b
.8.D.dv...7^K.?.
0060: 76 d0 fb de c3 80 f4 e1 a2 72 ff bc 6b a7 89 78
v........r..k..x
0070: 5c bd 64 c5 fd 16 e9 14 70 1b 4b 7f 2e 1b 82 a1
\.d.....p.K.....
0080: a4 fd 54 cf ae f2 ..T...
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 01 10 .....
tls_read: want=272, got=272
[...]
tls_write: want=6, written=6
0000: 14 03 01 00 01 01 ......
tls_write: want=181, written=181
0000: 16 03 01 00 b0 3b 42 7a 43 b9 2b b1 3f 8c 1e b3
.....;BzC.+.?...
0010: 12 63 fb e8 85 c2 25 3b 33 52 5a 95 fa 7b bb 7c
.c....%;3RZ..{.|
0020: a2 f9 26 e4 27 92 82 30 ac bc af 59 a1 65 f8 f5
..&.'..0...Y.e..
0030: 2e 95 af d9 34 cc 6c 79 a9 fb 87 d8 f7 6a b8 6c
....4.ly.....j.l
0040: 36 cf 36 d1 0d 45 4e 20 aa 37 43 40 ad 65 1e 39 6.6..EN
.7C@.e.9
0050: 33 f7 68 f3 83 a1 8b c8 7b fc b0 a7 80 e2 0b 95
3.h.....{.......
0060: 28 a4 ab 38 a9 9b 06 d0 62 b7 1c 72 88 f4 43 53
(..8....b..r..CS
0070: ea b1 1a 94 fb d8 04 93 f2 a8 a7 20 44 26 f9 d1 ...........
D&..
0080: 74 15 e3 21 2b d4 20 07 51 41 bd 72 c1 43 71 1f t..!+.
.QA.r.Cq.
0090: 54 0f a5 4f 42 14 37 d5 f6 97 6c 7a 83 01 00 5b
T..OB.7...lz...[
00a0: 20 1b cc 38 ae c7 89 cb e3 a5 2e 31 1c 12 61 97
..8.......1..a.
00b0: 4f 34 a4 7a 8d O4.z.
TLS certificate verification: depth: 0, err: -49, subject: -unknown-,
issuer: -unknown-
TLS certificate verification: Error, Unknown error
TLS: can't accept.
TLS: Error in the certificate. (null):0
connection_read(13): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13
I've confirmed that "/etc/ldap/cert.pem" and "/etc/ldap/key.pem" are
readable by the user, and that "/etc/ldap/cacert.pem" is world
readable.
Interestingly, I encounter exactly the same error if I omit
"TLSCACertificateFile" altogether, or if I remove
"/etc/ldap/cacert.pem".
Additionally, the ca certificate used by the client is also
"/etc/ldap/cacert.pem", and the certificate and key used by the server
are likewise "/etc/ldap/cacert.pem". Why then, can the client verify
the server, yet the server can't verify the client?
Thanks again for all your help,
Jack
On Jan 1, 2004, at 3:09 AM, Tony Earnshaw wrote:
ons, 31.12.2003 kl. 18.37 skrev ms419@freezone.co.uk:
Hint:
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a certificate s3_srvr.c:1976
connection_read(15): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=15 for close
connection_close: conn=0 sd=15
Note: TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate
--Tonni
--
mail: billy - at - billy.demon.nl
http://www.billy.demon.nl